Changeset 8177

Timestamp:

11/21/07 05:00:25 (2 years ago)

Author:

nzkoz

Message:

Merge [8176] to stable to fix session fixation attacks. Closes #10048 [theflow, Koz]

Files:

• branches/1-2-stable/actionpack/lib/action_controller/cgi_process.rb (modified) (4 diffs)
• branches/1-2-stable/actionpack/test/controller/session_fixation_test.rb (added)

branches/1-2-stable/actionpack/lib/action_controller/cgi_process.rb

@@ -37 +37 @@
-
-  class CgiRequest < AbstractRequest #:nodoc:
-, :cookie_only
+
-    class SessionFixationAttempt < StandardError; end #:nodoc:
-
@@ -44 +44 @@
-      :prefix           => "ruby_sess.",
-      :session_path     => "/",
+      :session_key      => "_session_id",
-      :cookie_only      => true
-    } unless const_defined?(:DEFAULT_SESSION_OPTIONS)
@@ -51 +52 @@
-      @session_options = session_options
-      @env = @cgi.send(:env_table)
-      @cookie_only = session_options.delete :cookie_only
-      super()
+    end
+
+    def cookie_only?
+      session_options_with_string_keys['cookie_only']
-    end
-
@@ -115 +119 @@
-        else
-          stale_session_check! do
-@cookie_only
+cookie_only?
-              raise SessionFixationAttempt
-            end